wolfSSL secures the world’s first SP800-140Br1 compliant FIPS 140-3 Validation Certificate

FIPS 140-3

In case you missed the news, wolfSSL Inc., a globally renowned leader in cryptography and network security solutions, is thrilled to announce the world’s first SP800 140Br1 compliant FIPS 140-3 Validation Certificate #4718 for wolfSSL’s wolfCrypt module.

EDMONDS, Wash., July 16, 2024 /PRNewswire-PRWeb/ — wolfSSL, INC., has partnered with AEGISOLVE, INC., on this unprecedented automated pilot program. Aegisolve is accredited by the National Voluntary Laboratory Accreditation Program (NVLAP Lab Code: 200802-0) for Cryptographic and Security Testing to assess and validate cryptographic based security systems and telecommunications infrastructure.

“As we move forward, wolfSSL remains focused on enhancing our technologies and expanding our capabilities. We are dedicated to continuous innovation in security. The advancements in our FIPS 140-3 module highlight our commitment to delivering state-of-the-art cryptographic solutions that meet the rigorous demands of today’s cybersecurity landscape.” Stated wolfSSL’s CTO, Todd Ouska. “Our collaboration with AEGISOLVE is just the beginning of a new era in cryptographic security, paving the way for future innovations and industry standards.”

“As a first of its kind, this is a tremendous achievement and a huge step forward for the next generation of FIPS 140-3 Validated Cryptographic Modules.” Reported Travis Spann, Founder and President of AEGISOLVE (NVLAP Lab Code: 200802-0). “AEGISOLVE is proud to have collaborated with the high-caliber wolfSSL team in the NIST SP800-140Br1 Pilot Project to achieve this groundbreaking milestone and we are eager to assist others to achieve the same goal.”

FIPS 140-3 validation testing is a rigorous and extensive process including detailed source code reviews, design reviews, documentation reviews, finite state machine verifications, CVE threat analysis, error injection, port sniffing, configuration management verifications, operational testing and test evidence auditing to the applicable requirements of the FIPS 140-3 Derived Test Requirements and FIPS 140-3 Implementation Guidance.

The National Institute of Standards and Technology (NIST) under the Cryptographic Module Validation Program (CMVP) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules for use by departments and agencies of the United States federal government.

Highlights: Under wolfCrypt FIPS 140-2, power on times in standard and embedded targets could be slower due to power on self test requirements of the module. With the wolfCrypt FIPS 140-3 module self-tests are now only required the first time an algorithm is used or when the application decides is an ideal time to run the test during a slower event cycle and ahead of first algorithm use. This means much faster boot times and optimal power and resource consumption with careful planning!**

Differences between wolfCrypt FIPS 140-2 and wolfCrypt FIPS 140-3:
– 3DES removed from the module, 3DES no longer available
+ CAST (conditional algo self tests)
+ KDF-TLS, TLS v1.2 KDF and TLSv1.3 KDF
+ SSH KDF
+ AES-OFB mode
+ RSA 3072, 4096 and PSS
+ New Degraded mode of operation, which means that in the event of a CAST failure other algorithm services will remain available.

* FIPS 140-3: Federal Information Processing Standard Publication 140-3. For more about what FIPS is please checkout these blogs:

** For information on transitioning from 140-2 to 140-3 please checkout our blog: What is the difference between FIPS 140-2 and FIPS 140-3?

If you have questions about any of the above, please contact us at fips@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSH 1.4.18 Now Available!

It is Christmas in July! The summer release of wolfSSH is here, version 1.4.18!

Version 1.4.18 brings with it bug fixes, new features, and some enhancements as well! New features in this release include new algorithms and a memory configuration option.

We also have a nice round of enhancements which range from channel setup callbacks, better testing, improved portability, and more!

New Features

  • wolfSSL style static memory pool allocation support.
  • Ed25519 public key support.
  • Banner option for wolfSSHd configuration.
  • Non-blocking socket support to the example SCP client.

Improvements

  • Documentation updates.
  • Update the Zephyr test action.
  • Add a no-filesystem build to the Zephyr port.
  • Update the macOS test action.
  • Refactor certificate processing. Only verify certificates when a signature is present.
  • Update the Kyber test action.
  • Refactor the Curve25519 Key Agreement support.
  • Update the STM32Cube Pack.
  • Increase the memory that Zephyr uses for a heap for testing.
  • Add a macro wrapper to replace the ReadDir function.
  • Add callback hook for keying completion.
  • Add function to return strings for the names of algorithms.
  • Add asynchronous server side user authentication.
  • Add ssh-rsa (SHA-1) to the default user auth algorithm list when sha1-soft-disable is disabled.
  • Update Espressif examples using Managed Components.
  • Add SCP test case.
  • Refactor RSA sign and verify.
  • Refresh the example echoserver with updates from wolfSSHd.
  • Add callback hooks for most channel messages including open, close, success, fail, and requests.
  • Reduce the number of memory allocations SCP makes.
  • Improve wolfSSHd’s behavior on closing a connection. It closes channels and waits for the peer to close the channels.

Fixes

  • Refactor wolfSSHd service support for Windows to fix PowerShell Write-Progress.
  • Fix partial success case with public key user authentication.
  • Fix the build guards with respect to cannedKeyAlgoNames.
  • Error if unable to open the local file when doing a SCP send.
  • Fix some IPv6 related build issues.
  • Add better checks for SCP error returns for closed channels.
  • In the example SCP client, move the public key check context after the WOLFSSH object is created.
  • Fix error reporting for wolfSSH_SFTP_STAT.
  • In the example SCP client, fix error code checking on shutdown.
  • Change return from wolfSSH_shutdown() to WS_CHANNEL_CLOSED.
  • Fix SFTP symlink handling.
  • Fix variable initialization warnings for Zephyr builds.
  • Fix wolfSSHd case of non-console output handles.
  • Fix testsuite for single threaded builds. Add single threaded test action.
  • Fix wolfSSHd shutting down on fcntl() failure.
  • Fix wolfSSHd on Windows handling virtual terminal sequences using exec commands.
  • Fix possible null dereference when matching MAC algos during key exchange.

Visit our download page to download the release bundle, or clone it from GitHub. Feel free to email us at facts@wolfssl.com or support@wolfssl.com or call us at +1 425 245 8247 with any questions about the wolfSSH embedded SSH library or other products.

Download wolfSSL Now

Live Webinar: Secure and Reliable Firmware Updates with wolfBoot

Learn the intricacies of connected embedded systems and the challenges they face, particularly focusing on the pivotal role of secure boot mechanisms in enhancing security.

Watch it today for “Secure and Reliable Firmware Updates with wolfBoot.”

In today’s interconnected world, the ability to remotely update various artifacts within embedded systems is crucial. However, this convenience brings about significant security risks that must be meticulously addressed. Join our expert, Daniele, as he provides an in-depth guide on securing embedded systems, highlighting the importance of secure boot mechanisms and introducing wolfBoot as a premier solution in firmware security.

Key topics that will be covered include:

  • Explore IoT security challenges impacting device integrity and data protection.
  • Learn how a secure bootloader ensures trusted firmware updates.
  • Discover wolfBoot’s capabilities in secure firmware updates and device reliability.
  • Understand the importance of trust anchors for system integrity.
  • Dive into cryptographic algorithms for firmware authentication and update management.
  • Learn about new wolfBoot features enhancing security and functionality.

Don’t miss out on this chance to fortify your knowledge and skills in securing embedded systems. Check it out today and take a step towards securing your IoT devices against emerging threats.

As always, our webinars include Q&A sessions. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Everything You Need To Know About FIPS 140-3

wolfSSL is currently the leader in embedded FIPS certificates. With current FIPS 140-3 validated certificate #4718 for the wolfCrypt Cryptographic Module, wolfSSL is thrilled to hold the world’s first SP800-140Br1-compliant FIPS 140-3 Validation Certificate. Join the wolfSSL team as we cover all things FIPS 140-3. We will cover the current transition to FIPS 140-3, its importance for cybersecurity, as well as how wolfSSL is implementing it in our products.

Watch the video: Everything You Need to Know about FIPS 140-3

FIPS 140-3 is the third revision of the Federal Information Processing Standard (FIPS) for cryptographic modules. The new revision of the standard includes an increased focus on algorithm agility, updated requirements for testing and validation, including changes to the testing methodology. wolfSSL is at the forefront of this important transition, and is working to ensure that its products continue to meet the highest standards of security and compliance.

FIPS 140-3 establishes the security requirements for cryptographic modules used by the U.S. government, as well as other organizations in the public and private sectors. By complying with the FIPS 140-3 standard, organizations can have greater confidence in the security of their cryptographic solutions, which is particularly important in today’s world where data breaches and cyber attacks are becoming more frequent and sophisticated.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

What is FIPS (short version)

Doing FIPS responsibly since 2014!

FIPS is a set of standards, detailed in Special Publications, that need to be met to be awarded a FIPS validation/certification published on the NIST website.

A FIPS certificate, with the product listed in the certificate, is required to sell product(s) to medical, federal, or military agencies and is often required by some private sector entities as well.

The typical FIPS certification process is as follows:

  1. You send us your hardware and toolchain
  2. We run the initial tests which ensure the cryptography module behaves according to specification given your specific hardware and OS
  3. The CMVP certified lab runs and verifies the tests and their documentation
  4. The test results are submitted to NIST for review
  5. Your specific operating environment is added to our certificate
  6. You are FIPS 140 compliant in 60-90 days

For more info please see the long version of this post.

If you have any questions about FIPS or the process of being awarded a FIPS validation/certifcation please contact us at fips@wolfssl.com, support@wolfssl.com or +1 425 245 8247 anytime. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!

Download wolfSSL Now

What is FIPS (long version)

Doing FIPS responsibly since 2014!

INTRO (wolfSSL FIPS service(s)):

(skip to next paragraph for “What is FIPS”)

FIPS is rightly viewed as a complex process with a steep entry learning curve. Lucky for customers of wolfSSL Inc. our management and engineering team have taken the time to learn the documentation surrounding the topic and developed all the tooling necessary to complete FIPS validation testing of the wolfCrypt cryptographic module in coordination with an NVLAP accredited FIPS lab. In order to FIPS validate a new product or operating environment (OE), wolfSSL asks for simply a customer’s hardware, compiler/toolchain (IDE etc), and a guide such that one of our FIPS developers can sit down with nothing but a laptop and achieve compiling and running a hello-world.c application on the target product to be FIPS validated. Yes you read that right, wolfSSL does not need your proprietary application software, just a hello-world.c application to get started. The CMVP validates the cryptographic module running on the target, not the applications that are consuming that cryptographic module. The wolfSSL team will standup the wolfCrypt module on your target product and take it through the certification process as quickly as possible leaving your dev team free to focus on preparing the end product while FIPS certification is taking place simultaneously!

HISTORY (What is FIPS):

Since there are so many options for securing information, the U.S. and Canadian governments recognized in the 1990’s a need to standardize those algorithmic methods deemed to be the most secure and enforce use of only those algorithms in critical government systems. To “encourage” adoption of the requirements by the two governments, the organizations NIST (National Institute of Standards and Technology)¹ and the CCCS (Canadian Centre for Cyber Security)² were called upon to fulfill that mission. The two agencies were to collaboratively:

  1. Decide which algorithms were the best/strongest
  2. Evaluate: If an algorithm had multiple modes or key lengths which modes or key lengths (if any) were considered too weak and should be excluded?
  3. Determine if there were other requirements aside from just having the algorithms implemented correctly
    1. Did the algorithms NEED to be re-tested periodically? (IE as the device was powering up)
    2. Did the module need to be checked periodically to see if it had been tampered with since the factory? (IE an integrity check, etc)
  4. Finally to enforce/encourage adoption of these standards by federal agencies belonging to either government. (Eventually expanded to include medical and some private entities as well)

These standards were called the “Federal Information Processing Standards” or FIPS. These standards were documented in a series of “Special Publications” (SP’s).

Out of a need to document which cryptographic modules and vendors were abiding by the standards set forth, a “certification” program was decided as the best approach. Vendors who made cryptographic modules could submit for and be awarded a certificate if their module was found to be compliant with all standards applicable to that module. The certificates would be hosted on the U.S. based NIST website so that federal agencies (or the public) could “browse” the available FIPS certified modules.

It was a big job for the two agencies to handle alone, so in 1995 NIST and CCCS established two organizations called the “CMVP” (Cryptographic Module Validation Program)³ and CAVP (Cryptographic Algorithm Validation Program)? to handle testing Cryptographic modules for compliance with the standards. These two organizations would also handle issuing the certificates for vendors and products that passed algorithm testing and were found to meet all applicable standards outlined in the SP’s.

The CAVP issues algorithm certificates (which are a prerequisite to submitting a module for FIPS certification to the CMVP). The CMVP issues FIPS certificates for “tested configurations” or “operating environments” found to pass the CAVP testing and be in compliance with the standards. Both certificate types (CAVP algo certs and CMVP FIPS certs) are hosted on the NIST website. The certificates are public domain and can be searched by anyone.

Once established, the CMVP and CAVP needed to establish a way to “test” the modules. To that end they called upon the NVLAP (National Voluntary Laboratory Accreditation Program)? to accredit “third-party” testing laboratories that would serve as an intermediary between the vendors seeking FIPS certification and the CAVP/CMVP bodies.

A last step in the history of FIPS was adoption of software modules. Originally when the standards were written, only dedicated hardware could perform the heavy lifting necessary for cryptographic mathematical operations so the standards were designed with ONLY hardware modules in mind. Doing cryptography in software at the time was impractical and therefore not considered in the original standards. As general purpose CPUs advanced, eventually it became feasible to implement algorithms in software and have those expensive math operations executed by a general purpose CPU in a reasonable amount of time. Once this reality arrived the standards were “adapted” to allow for both hardware and software modules. To this day there are “some scenarios” in the standards that only seem to make sense for hardware (See our blog post on vendor affirmation and how some software vendors are exploiting a loophole in the standards that was intended for hardware). NIST, the CMVP and CAVP have done a lot of work in the past few years bringing about the latest 140-3 standards and wolfSSL Inc is very excited to be one of the first software modules with a commercial FIPS 140-3 offering!

The Process (validating a module):

Today a hardware or software vendor will work in coordination with an NVLAP accredited lab to complete algorithm testing and receive algorithms certificates.

(Milestone 1 of a FIPS certification effort)

Once the vendor receives the prerequisite CAVP certificates they will perform operational testing with the same NVLAP accredited lab. Once all testing evidence has been captured and everything reviewed and approved by the NVLAP quality assurance department, the lab is ready to submit everything to the CMVP.

(Milestone 2 of a FIPS certification effort)

The CMVP will coordinate with the vendor via the NVLAP accredited lab and once all requirements have been satisfied the CMVP will either issue a new FIPS certificate or update an existing certificate if the vendor is adding an operating environment to an existing certificate.

(Milestone 3 of a FIPS certification effort)

Submission Scenario(s) supported by wolfSSL Inc:

  • New cert (draw a new module boundary around specific algorithms and certify from scratch resulting in a new certificate)
  • OE addition (Add an OE to an existing certificate)
  • Revalidation (redraw the module boundary of an existing validated module to include new or remove existing algorithms from the boundary description)
  • Vendor Affirmation – wolfSSL is a software module vendor. As a responsible FIPS vendor wolfSSL feels that software vendors are generally incapable of determining how a change to the CPU or OS will affect the cryptography (especially if the CPU or OS changes completely). As such wolfSSL Inc does not currently offer Vendor Affirmation as a path to FIPS. Special circumstances MAY exist but would need to be evaluated on a case-by-case basis.

Timeline estimates for the various scenarios change over time. If you would like an up-to-date estimate for a given submission scenario please contact support@wolfssl.com for the latest.

Summary:

  • wolfSSL Inc can make the process of certifying your product painless and hands-free once we have the product and basic instructions for getting a hello-world app up and running on the target!
  • FIPS is a set of standards, detailed in Special Publications, that need to be met in order to be awarded a FIPS validation/certification published on the NIST website. A FIPS certificate, with the product listed in the certificate, is required to sell product(s) to medical, federal or military agencies and often required by some private sector entities as well.
  • The process can take time so please plan accordingly!

If you have any other questions about FIPS or the process or wolfSSL Inc please contact either fips@wolfssl.com or support@wolfssl.com anytime. We offer free pre-sales customer support, we have FIPS evaluation options and our staff are knowledgeable and eager to help!

¹ The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. – https://www.nist.gov/about-nist

² The Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public. – https://www.cyber.gc.ca/en/about-cyber-centre

³ The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules. – https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program

? The CAVP was established in July 1995 by NIST and the Government of Canada’s CCCS. CSD’s Security Testing, Validation, and Measurement Group (STVMG) manages the validation testing of cryptographic modules and their underlying cryptographic algorithms through the CAVP and CMVP. – https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program

? The National Voluntary Laboratory Accreditation Program (NVLAP) provides third-party accreditation to testing and calibration laboratories in response to legislative actions or requests from government agencies or private-sector organizations. NVLAP-accredited laboratories are assessed against the management and technical requirements published in the International Standard, ISO/IEC 17025:2017. – https://www.nist.gov/nvlap

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

What is the difference between FIPS 140-2 and FIPS 140-3?

This week we are tackling the question: what is the difference between FIPS 140-2 and FIPS 140-3? wolfSSL is currently the leader in embedded FIPS certificates. The wolfCrypt module holds the world’s first SP800-140Br1 FIPS 140-3 validated certificate #4718. We always strive to keep our users up to date on the latest standards!

With various specification updates, the newest standard of FIPS 140-3 will include the hardware module, firmware module, software module, hybrid-software module, and hybrid-firmware module and will have no restriction as to the level at which a hybrid module may be validated in the new standard. This is beneficial to vendors with hybrid modules looking to be validated at a higher level than level 1. FIPS 140-2 standard was originally written with all modules as hardware and only later were additional modules added.

While both FIPS 140-2 and FIPS 140-3 include the four logical interface data input, data output, control input, and status output. FIPS 140-3 introduces a fifth interface, called the control output interface for the use of output of commands including signals and control data to indicate the state of operation. Instead of the use of a “trusted path” used in FIPS 140-2, FIPS 140-3 uses a “trusted channel” which is a secure communications link between the cryptographic module and the end point device which is sending data to and receiving data from the module, with the goal of securing unprotected CSPs. In FIPS 140-3, the Level 4 module using a trusted channel must use multi-factor identity-based authentication for all services using the trusted channel.

Instead of requiring module support for crypto officer and user roles with the maintenance role as optional, FIPS 140-3 only requires the crypto officer role. There is a new capability within FIPS 140-3, called the “Self-Initiated Cryptographic Output Capability” where a module can perform cryptographic operations or other approved security functions without any operator intervention.

Check out our latest blog post on FIPS 140-3 Announcement to the world.

When it comes to wolfSSL, we are ready to offer the first implementation of FIPS 140-3:

  • The power-on self-test is changing. It now takes two sets of tests: the Pre-operational Self-Test (POST) and the Conditional Algorithm Self-Test (CAST).
  • The old Known Answer Tests used as a part of the old test are not required to run at startup. They are now conditional tests that must be run right before use of an algorithm. If you don’t use an algorithm, you don’t need to test it. The tests will run automatically on calling any API for an algorithm.
  • The pre-operational self-test is now purely an integrity test of the executable in memory. The algorithms used for this test must be tested first. In our case, HMAC-SHA-256’s CAST is run automatically, then the POST. The POST will be run automatically as wolfCrypt’s default entry point in the code.
  • All the tests may be and should be run periodically during run time. We will provide an API to run tests as desired. In an embedded application, you can run your CAST early before any algorithms are used as some CASTs do take time.

Contact Us

Please contact us at facts@wolfssl.com or +1 425 245 8247 with any questions. For technical support, please contact support@wolfssl.com or view our wolfCrypt FIPS FAQ page.

Download wolfSSL Now

Live Webinar: World’s first SP800-140Br1 FIPS 140-3 validated certificate #4718

We are thrilled to announce a landmark achievement in cybersecurity! wolfSSL has obtained the world’s first SP800-140Br1 FIPS 140-3 validated certificate #4718. This milestone is a testament to our commitment to providing top-notch security solutions. To celebrate, wolfSSL Senior Software Engineer, Kaleb Himes, is hosting an exciting webinar, “World’s first SP800-140Br1 FIPS 140-3 validated certificate #4718”!

Watch it now to see the “World’s first SP800-140Br1 FIPS 140-3 validated certificate #4718.”

This Webinar Will Cover:

  • World’s first SP800-140Br1 FIPS 140-3 validated certificate #4718: Understand the significance of this groundbreaking achievement.
  • OpenSSL compatibility: Learn about the integration and benefits of our solutions with OpenSSL, including Provider and Engine support.
  • Java JSSE/JCE provider: Discover how our FIPS-validated solutions work seamlessly with Java security frameworks.
  • Commercial FIPS offering: Explore the only embedded general-purpose commercial FIPS solution available in the market.
  • Expert Team: Connect with industry experts at wolfSSL who make all this possible. We are here to help you navigate the complexities of FIPS certification and implementation.

Don’t miss out on this opportunity to be a part of cybersecurity history. Kaleb will provide valuable insights, practical knowledge, and a chance to interact with industry experts. Check it out today!

As always, our webinars include Q&A sessions. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

FIPS 140-3 Announcement to the world

wolfSSL Inc. is very pleased to announce our wolf pack has successfully hunted down and captured the ever elusive FIPS 140-3 certificate! The world’s first automated submission (SP800-140Br1) FIPS 140-3 validated certificate #4718 posted to the NIST website on July 11th 2024, valid through July 10th, 2029!

“wolfSSL remains focused on enhancing our technologies and expanding capabilities. We are dedicated to continuous innovation in security. The advancements in our FIPS 140-3 module highlight our commitment to delivering state-of-the-art cryptographic solutions that meet the rigorous demands of today’s cybersecurity landscape.” Stated wolfSSL CTO, Todd Ouska.

We are thrilled to work with ÆGISOLVE, INC. on this journey. The wolfSSL team is grateful for the ÆGISOLVE staff’s hard-work and dedication in realizing the very first SP800-140Br1 140-3 certificate in the world! A note from the ÆGISOLVE team:

“‘AEGISOLVE is pleased to announce the world’s first SP800-140Br1 compliant FIPS 140-3 Validation Certificate for wolfSSL’s wolfCrypt module’ reported Travis Spann, Founder and President of AEGISOLVE (NVLAP Lab Code: 200802-0).

‘As a first of its kind, this is a tremendous achievement and a huge step forward for the next generation of FIPS 140-3 Validated Cryptographic Modules. Congratulations, wolfSSL!

Highlights

  • Boot Times
    • wolfCrypt FIPS 140-2, power-on times could be slower due to mandatory self-tests
    • wolfCrypt FIPS 140-3 requires self-tests only at the first algorithm use or during a slower event cycle
      • faster boot times
      • optimal power and resource consumption with careful planning!
  • Design
    • The wolfCrypt FIPS 140-3 validated module is the only commercial FIPS solution tailored for embedded
      • Emphasis on a minimal footprint, low resource use, reduced power consumption, and high performance for standard and real time systems
      • Design leads to superior scalability across devices, from mobile to server
        • 10 times more connections per device at 15-20% better performance than competing solutions.
  • OpenSSL Replacement
  • Embeddability
    • Embedded Systems (Medical, networking, sensors, security systems, etc.)
    • Extended Battery life and high performance
    • Hardware Encryption Support
    • Assembly Acceleration

Changes from the historic wolfCrypt FIPS 140-2 cert #3389 to the active wolfCrypt FIPS 140-3 cert #4718:

  • CAST (conditional algo self tests)
  • KDF-TLS, TLS v1.2 KDF and TLSv1.3 KDF
  • SSH KDF
  • AES-OFB mode
  • RSA 3072, 4096 and PSS
  • New Degraded mode of operation in the event of a CAST failure other algorithm services will remain available.

For more about what FIPS is please checkout these blogs:

For information on transitioning from 140-2 to 140-3 please checkout our blog: What is the difference between FIPS 140-2 and FIPS 140-3?

Algo cert Link
Security Policy Link
Ref: Section 2.5 Algorithms
Ref: Section 2.2 Table 6 “Tested Operational Environments – Software, Firmware, Hybrid”
Cert #4718 Link

For questions, comments or feedback please contact the wolfSSL team anytime at fips@wolfssl.com.

Download wolfSSL Now

wolfSSL 5.7.2 Now Available!

wolfSSL release 5.7.2 is now available! This release includes an implementation of Dilithium, optimizations for RISC-V use, AES-XTS streaming capabilities, and quantum safe algorithm support with the Linux kernel module, to name a few of the recent additions. There have also been other enhancements, such as STM32 AES hardware support for STM32H5 and SHA-3 ARM thumb assembly implementations. Along with these amazing features and enhancements, some great fixes and additional sanity checks were added. One of the additional sanity checks limits the maximum number of alternate names parsed with certificates. This defaults to 128 but can be changed by defining the macro WOLFSSL_MAX_ALT_NAMES to any desired value. A full list of vulnerability fixes, feature additions, and general changes can be found in the ChangeLog.md bundled with wolfSSL or in the main README.md.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3